Have you, as an internal auditor, ever been at an event and been asked what it is you actually do? If so, you’re not alone. Not only do internal auditors’ exact roles and responsibilities vary significantly across organisations and industries, but there can also often be a lack of clarity within a single organisation.
A 2022 IFAC report found that 73% of internal audit heads consider themselves independent advisers, but only 43% of management agree with that characterisation. Many internal stakeholders, it seems, view internal auditors merely as compliance enforcers.
There is confusion about internal audit’s core mandate
This perception gap means that organisations are not investing in the audit skills that would make auditors true strategic partners. It also undermines internal audit’s core role of providing reliable, independent assurance. Its ability to look across the entire organisation positions it perfectly to act as an independent resource to identify strengths, weaknesses and opportunities. Given evolving risks such as AI and geopolitical pressures, that objective view matters more than ever.
Lines of defence
Although it has been criticised, the three lines of defence model – where the first line owns risk, the second manages risk oversight, and the third (internal audit) provides independent assurance – remains in my view still relevant and central to governance frameworks.
However, in practice, roles frequently overlap. It is not unusual for internal audit teams to find themselves performing activities that resemble second-line risk advisory work or operational tasks. This requires careful consideration, as advisory involvement may blur independence, contributing to the confusion about internal audit’s core mandate.
Equally important is the current skills gap. Despite living through an era of significant and transformative risks (geopolitical uncertainty, digital disruption and the ever-increasing complexity of cyber attacks), many internal audit teams struggle to attract and develop expertise to tackle the day-to-day mission, let alone address forward-looking risks .
Deep change
Addressing these issues requires more than incremental improvement. It requires a fundamentally more agile internal audit methodology that combines technical proficiency, forward-looking scenario analysis, and stronger advisory and influencing skills. However, methodology alone is unlikely to be sufficient. A deeper transformation may be required, with internal audit moving away from traditional, linear ways of working that were designed primarily for retrospective assurance rather than complex, fast-moving risk environments.
The focus could shift towards specialised, multidisciplinary groups
Instead of the long-standing model of broadly skilled internal auditors, the focus could shift towards specialised, multidisciplinary groups, or ‘pods’. These pods would bring together professionals with advanced expertise in areas such as data analytics, cybersecurity, technology risk, behavioural science or regulatory change, coordinated by a qualified internal auditor who ensures coherence, independence and alignment with assurance standards.
This model mirrors operating structures that are increasingly being adopted in risk management and transformation functions, where depth of expertise is prioritised over uniform capability. From an efficiency perspective, it may also address skills shortages by concentrating scarce expertise where it adds the greatest value.
Along these lines, the Institute of Internal Auditors (IIA) has introduced topical requirements as mandatory components of its International Professional Practices Framework – setting baseline expectations for auditing specific risk domains such as the Organizational Behavior TR published in December 2025. This development signals that standard-setting bodies recognise that value creation and risk exposure increasingly arise from non-financial and ‘soft risk’ areas such as culture, leadership and decision-making behaviour, and not solely from control design and compliance.
While establishing a behavioural baseline represents progress beyond traditional audits, critics may argue that it risks diverting limited internal audit capacity towards areas perceived as less urgent by boards, addressing what may be seen as nice-to-haves rather than the core drivers of existential threat, resilience and long-term organisational survival.
Strengthening strategies
To address these pressures and support the evolution of internal audit, there are three key areas to work on.
First, consider creating a structured, harmonic and explicit governance mandate for internal audit. Internal audit functions should work with audit committees and executive management to clearly articulate what internal audit represents as a minimum viable product across the organisation. This includes defining its purpose, scope, degree of independence and expected value contribution beyond compliance.
A clearly defined mandate gives greater influence over strategic decision-making
A clearly documented mandate, embedded in the audit charter and reinforced through governance forums, helps manage stakeholder expectations. It also reduces the perception gap between internal audit’s self-image and how it is experienced by management.
Research by the IIA consistently shows that internal audit functions with strong audit committee sponsorship and a clearly defined mandate report higher perceived value and greater influence over strategic decision-making. The IIA has a role to play here too, by assertively guiding organisations towards a more harmonious structure.
Second, look at increasing accountability for quality and performance. According to IIA standards, external quality assessments must be conducted at least every five years. Boards should use these reviews and results to ensure the internal audit function goes beyond simply meeting requirements. By openly communicating on improvement actions, participating in comparative rankings and ensuring transparency in ownership and outcomes, internal audit can boost credibility and further develop its professional reputation.
Finally, invest in building specialist capability in priority risk areas. As mentioned earlier, internal audit should shift from a predominantly generalist model to targeted specialisation in high-risk and emerging domains such as cyber, data and AI, ESG and behavioural risk.
Internal audit tells itself how important it is but rarely produces a loud roar
Forward!
By truly investing in specialist skills through varied recruitment, upskilling and flexible resourcing models, the function will be better able to provide forward-looking assurance and relevant insight to the board.
Internal audit in 2026 is merely surviving, while the landscape is transforming. Internal audit tells itself how important it is, gives itself awards, produces conferences by auditors for auditors, but rarely produces a loud roar. Without adequate external visibility and a clear, harmonious strategic positioning, the profession’s relevance will become increasingly threatened in this rapidly changing world.
More information
Read other AB articles by Roberto Zambelli on internal audit: ‘AI moves into internal audit’ and ‘Making AI work for internal audit’
